Thursday

11g Fusion Middleware Install Walkthrough – Part 3 Single Sign On

Part 3 describes the process to install and setup SSO on the application tier of my Fusion Middleware Environment. I had originally intended to talk about Portal and SOA here but I didn’t realize how long the SSO portion was.

Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g are required components for Oracle Portal, Forms, Reports and Discoverer Release 10g and Release 11g.

Overview of the Installation Steps
  1. Executing inspre11.pl
  2. SSO Repository Creation
  3. Install SSO 10.1.4.0.1 and upgrade it to 10.1.4.3
Executing inspre11.pl and SSO Repository Creation

More detail for the steps below can be found in Oracle’s documentation.

execute inspre11.pl with –op1. The –op1 flag will enable anonymous bind, disable entry cache and change the OID version from 11.1.1.1.0 to 10.1.4.0.1 so the SSO repository creation assistant will be able to load the schema.

On the database tier set your ORACLE_HOME environment variable to your IDM installation, and ORACLE_INSTANCE to the instance home location. Execute inspre11.pl with the –op1 parameter.
The syntax for inspre11.pl is:

$OID11gR1_ORACLE_HOME/perl/bin/perl \
$OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \
OID_COMPONENT DB_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD \
{-op1 | -op2 | -op3}

In part 2, I used the same password for all of the accounts, so ODS_PASSWORD and ORCLADMIN_PASSWORD is the same. That’s why you will see password specified twice in my example below:

[oracle@vm2 Oracle_IDM1]$ ORACLE_HOME=/u01/app/oracle/product/mid11g/Oracle_IDM1; export ORACLE_HOME

[oracle@vm2 Oracle_IDM1]$ ORACLE_INSTANCE=/u01/app/oracle/product/mid11g/IDMasinst_1; export ORACLE_INSTANCE

[oracle@vm2 Oracle_IDM1]$ $ORACLE_HOME/perl/bin/perl $ORACLE_HOME/ldap/bin/inspre11.pl vm2 3060 -nonssl oid1 vm2:1521:FMWD password password –op1

Use RepCA to load SSO and other schemas against DB before running -op2



SSO Repository Creation

In part 2 we used a repository creation utility to load the IDM, Portal and SOA 11g schemas. Since SSO is a previous version (10g), we need to use a different repository creation utility (RCU). The 11g RCU is much nicer because it doesn’t need to be installed before you can use it. The 10g SSO RCU needs to be installed like other Oracle products before it can be installed.

The 10g SSO RCU is 32bit, so if your trying to install this on a 64bit environment, you have to type linux32 bash before you launch the runInstaller. Even tho I ran it from a 32bit shell I still encountered issues. Since you don’t need the 10g SSO RCU after you load the SSO schema I decided to install it on an old 32bit server instead of trying to figure out what was wrong.

Unzip the 10g SSO RCU archive and launch the runInstaller:

clip_image002

Click on the Next button.

clip_image004

Verify the inventory directory and change it to suit your environment. Then click on the Next button.

clip_image006

Make sure you execute the orainstRoot.sh script before clicking on the Continue button.
[root@appTier oraInventory]# ./orainstRoot.sh
Creating the Oracle inventory pointer file (/etc/oraInst.loc)
Changing groupname of /home/oracle/oraInventory to oinstall.


clip_image008

Change if necessary and click on the Next button.

clip_image010
clip_image012

I hit this warning, I can’t remember which kernel parameter was at issue but after I reviewed the problem I determined it was ok to proceed. The next time I install it, I’ll take better notes. Click on the Yes button.

clip_image014

If you need other languages select them and click on the Next button.

clip_image016

Verify that Yes is selected so that the RCU assistant launches automatically after the installation is finished and click on the Next button.

clip_image018
Click on the Install button.
clip_image020
clip_image022

The RCU assistant will automatically start and show the screen below:

clip_image024

Click on the Next button:

clip_image026

Enter the path of the Oracle Home directory for the database installed in Part 2. As well, select a log file directory and click on the Next button
.
clip_image028

We need to load the schema and register it, so verify that the Load and Register option is selected and click on the Next button:

clip_image030

Enter the information for the database created in Part 2.

clip_image032

It appears that the SSO Repca utility ignores the SGA_TARGET parameter and looks explicitly for the various SGA parmeters to make sure your database is sized correctly and setup correctly. As long as your SGA_TARGET is set high enough you can quickly login to your database, execute the commands below and continue with the RCU assistant.

SQL> alter system set aq_tm_processes =1;
SQL> alter system set db_cache_size=200M;
SQL> alter system set shared_pool_size=200M;
SQL> alter system set java_pool_size=120M;

clip_image034

Click on Yes, this requirement is only for 10g databases and we are not using 10g Portal.

clip_image036

I am using an regular file system so I selected the first option and clicked on the Next button.

clip_image038

Since I am on a SAN I am using the same directory for all tablespaces but if you are using multiple directories you will need to manually enter the information for each tablespace. Click on the Next button when complete.

clip_image040
clip_image042

By default the system tablespace datafile should be in autoextend in 11g but verify.

clip_image044
clip_image046

Enter the hostname for the server in which you installed Identity Management on in Part 2. By default the SSL port is 3131 but if you are unsure you can look at the installation summary file you should have saved back in Part 2.

clip_image048

Enter the password for orcladmin which you specified while installing Oracle Identity Management in Part 2.

clip_image050
clip_image052

I choose the default and clicked on Next.

clip_image054

Once the SSO repository has been loaded into your database you will be presented with the following screen. Click OK and your finished.

clip_image056

The 10g SSO RCU changes the ODS password for some reason so you need to change it back to the one you used back in Part 2.

Login to your database via SQL*Plus and change the ODS password using alter user ods identified by PASSWORD, where PASSWORD represents the ODS schema password before running the 10g SSO RCU Assistant.

SQL> alter user ods identified by password;
User altered


Login to the server in which Oracle Identity Management was installed and set the ORACLE_HOME, ORACLE_INSTANCE and TNS_ADMIN environment variables to reflect the IDM install and create a wallet:

[oracle@vm2 ~]$ ORACLE_HOME=/u01/app/oracle/product/mid11g/Oracle_IDM1; export ORACLE_HOME
[oracle@vm2 ~]$ ORACLE_INSTANCE=/u01/app/oracle/product/mid11g/IDMasinst_1; export ORACLE_INSTANCE
[oracle@vm2 ~]$ TNS_ADMIN=$ORACLE_INSTANCE/config; export TNS_ADMIN

[oracle@vm2 ~]$ cat $TNS_ADMIN/tnsnames.ora
OIDDB=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=vm2)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=FMWD)))

[oracle@vm2 ~]$ $ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB create_wallet=true
password:
confirm password:
Replication password file exists
password set


Restart Oracle Internet Directory:

[oracle@vm2 bin]$ cd $ORACLE_INSTANCE/bin
[oracle@vm2 bin]$ pwd
/u01/app/oracle/product/mid11g/IDMasinst_1/bin
[oracle@vm2 bin]$ ./opmnctl stopall;
opmnctl stopall: stopping opmn and all managed processes...
[oracle@vm2 bin]$ ./opmnctl startall;
opmnctl startall: starting opmn and all managed processes...


Execute the inspre11.pl script with -op2, which resets the Oracle Internet Directory version and allows you to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1). The -op2 option will also verify the orcldirectoryversion attribute has a value of OID 10.1.4.0.1.

[oracle@vm2 bin]$ $ORACLE_HOME/perl/bin/perl $ORACLE_HOME/ldap/bin/inspre11.pl vm2 3060 -nonssl oid1 OIDDB password password -op2


Install SSO/DAS against 11g OID before running -op3


Above when we executed inspre11.pl with the –op1 flag we used vm2:1521:FMWD for the database information. For some reason, with the –op2 flag, you will get an error. See the following note for details. Since we set the TNS_ADMIN environment variable above, we can pass the tnsnames.ora entry, which is OIDDB.

Subject: Inspre11.Pl Fails With Error Message No Such File Or Directory At Line 310   Doc ID: 876623.1

Install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1) and Upgrade to 10.1.4.3

On your application their unzip the SSO media and launch the runInstaller.

clip_image058

Click on the Next button:

clip_image060

Specify the directory for the SSO Oracle Home and click on the Next button.

clip_image062

Select Oracle Application Server Infrastructure 10g for the Single Sign-On (SSO) component and click on the Next button.

clip_image064

We already created the SSO repository, so select the second option Identity Management and click on the Next button.

clip_image066

If you haven’t already review Note 465847.1, it lists the required packages for OEL 5 and if you made the OS changes listed in Part 1 then you should be fine. So I ignored this error and continued.. I’m pretty sure it was looking for packages I have installed but of a lower release level. Click on Next to continue.

clip_image068

You’ll need to execute the root.sh script as part of this install. Click on the Next button to continue.

clip_image070

We are only using SSO and Delegated Administration Services, so I de-selected the other options and clicked on the Next button.
clip_image072

Click on the Next button.

clip_image074

Enter the hostname and port number for your IDM install from Part 2.

clip_image076

Enter the password for the orcladmin account which you specified during the IDM install in Part 2.

clip_image078

Create an Instance Name, I put SSO in front of the instance name to keep it logical. After you enter a password click on the Next button.

clip_image080

Click on the Install button.

clip_image082
clip_image084

During the install you may see this error. It can be safely ignored as per note: 465847.1


clip_image086

Before you click on the OK button above you should download and apply patch patch 5649850 before running run the root.sh script.

To apply this patch set your ORACLE_HOME environment variable to your SSO Oracle Home, unzip the patch, change into the patch directory and execute $ORACLE_HOME/OPatch/opatch apply.

If you get an error:

The Oracle Home /u01/app/oracle/product/mid11g/SSOHome_1 is not registered with the Central Inventory. OPatch was not able to get details of the home from the inventory.

Try upgrading Opatch to OPatch Version: 1.0.0.0.60

Once you have applied the patch click on the OK button.

clip_image088

Once the install has finished the configuration assistants will run. Assuming no issues are encountered you will be presented with the End of Installation screen below:

clip_image090

SSO has been installed but now we need to upgrade it to 10.1.4.3.0:

Upgrade SSO to 10.1.4.3.0

Upgrade Oracle Single Sign-On and Oracle Delegated Administration Services to Release 10g (10.1.4.3.0) by applying the Oracle Identity Management 10g (10.1.4.3.0) Patch Set. You can get the Oracle Identity Management 10g (10.1.4.3.0) Patch Set from My Oracle Support (formerly MetaLink) by searching for Bug or Patch Number 7215628.

Stop SSO:

If you don’t stop it beforehand I believe the installer will stop it for you.

echo "Stopping SSO Components. . ."
cd $SSO_HOME/bin
./emctl stop iasconsole
sleep 5
cd $SSO_HOME/opmn/bin
./opmnctl stopall

Download patch 7215628, unzip it and launch the runInstaller:

clip_image092

Click on Next.

clip_image094

Select the SSO Home from the drop down list and click on Next.

clip_image096
clip_image098

Enter your Metalink credentials if you would like configuration manager installed. I opted not to install it.

image
Enter the ias_admin password you specified during the SSO install above. Click on Next to continue.

clip_image102

Enter the orcladmin password from the IDM install performed in Part 2. Click on Next to continue.

clip_image104

Enter SYS password for the database created in Step 2.

clip_image106

I shutdown SSO before but if you didn’t, the installer will do that now. Click on OK to continue.

clip_image108

Click the on the Install button.

clip_image110

Once the install finishes you’ll be prompted to run the root.sh script. Perform that task and click on the OK button.

clip_image112
clip_image114

After the configuration assistants execute successfully the patch will be completed:

clip_image116

Click on Exit.

On the IDM server execute the inspre11.pl script with -op3, which sets the Oracle Internet Directory version back to 11g Release 1 (11.1.1).

Set the environment variables setup the IDM environment:

oracle@vm2 ~]$ ORACLE_HOME=/u01/app/oracle/product/mid11g/Oracle_IDM1; export ORACLE_HOME
[oracle@vm2 ~]$ ORACLE_INSTANCE=/u01/app/oracle/product/mid11g/IDMasinst_1; export ORACLE_INSTANCE
[oracle@vm2 ~]$ TNS_ADMIN=$ORACLE_INSTANCE/config; export TNS_ADMIN


[oracle@vm2 ~]$ORACLE_HOME/perl/bin/perl $ORACLE_HOME/ldap/bin/inspre11.pl vm2 3060 -nonssl oid1 OIDDB password password –op3

Change orcldirectoryversion to 11.1.1.1.0 and enable entrycache


Verify the install was successful by logging in to Oracle Delegated Administration Services. You should be redirected to Oracle Single Sign-On and if your able to login in successfully everything should be installed correctly.

The URL where vm7 is the server name for the application tier:

http://vm7:7777/oiddas/

Part 4 will cover the Portal and SOA Installation.

33 comments:

Anonymous said...

Hi,
Thank you for sharing.
Are you IDM(oid) and OSSO use same ODS schema??
In my test, RCU assistant select "Load and Register"
I cant reuse ODS schema.
OFM Vesrion 11.1.2

Thanks.
Mac@TW

siva said...

Hi,

Really a very useful document for IDM guys.

I was trying to do the same but i was facing an issue in executing opatch. It was returning me the below error message while executing opatch

MISSING_COMPONENT : oracle.dbjava.rsf, 10.2.0.4.0

This Oracle Home does not have components/versions required by the patch.

ERROR: OPatch failed during pre-reqs check.
OPatch returns with error code = 150

Please suggest.

Thanks & Regards,

Siva Pokuri.

Dave said...

Mac: IDM and OSSO are using the same schema... For IDM the schemas get prefixed with a value you specify during the install.. Mine is DEV_, so there is no overlap.

Siva: I would try upgrading to the latest OPatch and make sure your environment is setup correctly.

Anonymous said...

Hi,
Thank you for sharing. I tried to do the same, but I used database 11R2 (version 11.2.0.1.0). When upgraded SSO to 10.1.4.3.0 with using 7215628 patch set, it displayed error: "Oracle Universal Installer has detected that your database is version 11.2.0.1.0. Before you can continue, you must apply a required Database patch set. Refer to My Oracle Support for the latest OracleAS Metadata Repository certification information", and install process didnt continue.
I used database 11gR2, SSO Repository Creation 10.1.4.3.1. Please help me.

Thanks & Best Regards,

Metro@TV.

Khang said...

I got the same error "Oracle Universal Installer has detected that your database is version 11.2.0.1.0. Before you can continue, you must apply a required Database patch set. Refer to My Oracle Support for the latest OracleAS Metadata Repository certification information"

To fix this issue, you need to apply this patch 6265268 from Metalink.

One additional note is that I also needed to replace the jar files in /inventory/Queries21/DBConnectQueries/8.4 and /inventory/Queries21/IP_DBQueries/3.0

Dave said...

Thanks for the info Khang!

Higor Fortunato said...

Database 11G R2 is not compatible.
I opened a SR and received none workaround. Then, I started again using database 11G R1

Anonymous said...

Hi i am doing the exactly the same installation but in windows 2008. Now in windows after the SSO installation it does not ask to run root.sh it starts directly the configuration of the assistants so i do not have the time to apply the necessary opatch.
Any ideas how to counter this problem?

Dave said...

If it doesn't stop so you can run the root.sh file, then just apply the patch after. I'm pretty sure I forgot to apply it once, applied it after and everything was ok.

If that doesn't work, maybe someone else has experienced this issues, solved it and will leave a comment.

Tomás said...
This comment has been removed by the author.
Tomás said...
This comment has been removed by the author.
Tomás said...

Hi Siva Pokuri,

I have the same problem as you "MISSING_COMPONENT : oracle.dbjava.rsf, 10.2.0.4.0", How i have to fix this error?.

Thanks & Regards,

Tomás.

Tomás said...

Hi Siva Pokuri,

I have the same problem as you "MISSING_COMPONENT : oracle.dbjava.rsf, 10.2.0.4.0", How i have to fix this error?.

Thanks & Regards,

Tomás.

Anonymous said...

The "MISSING_COMPONENT : oracle.dbjava.rsf, 10.2.0.4.0" error is caused by applying a 10.2 patch on a 10.1 install. Download the correct patch version and you should be ok.

Fharose said...
This comment has been removed by the author.
Anonymous said...

Hi
When I run the OAS 10.1.4.x installer, it says RHEL 5 is not supported.
Thnks
Ferry.

Ramkumar said...

Hi,

How to install SSO Metadata Repository Creation Assistant (10.1.4.3.1)
in Windows 2008 64bit version?

It is not not installing properly.

Please guide me

Dave said...

Hi Ramkumar, all my platforms are linux so unfortunately I don't any tips for windows.

tnx

Ramkumar said...

Hi Dave,

Thanks for your reply.

I am facing one more issue with Enterprise manager Fusion Middleware control.

If I logged out once, i could not login again. It is throwing below error.

Login failed. Error connecting to the Server

How to resolve this issue.

Same time i am able to login weblogic administration console.

Vinodh Kolluri said...

Hi Ramkumar,

I'm facing the same issue. Did you get a solution for that ??

Thanks,
Vinodh

Vinodh Kolluri said...

Its fixed by bouncing the Admin Server.

Thanks,
Vinodh

Nathan said...

Did you run MRCA against the 11g database? I have a tar open currently because I can't get SSO to start. The analyst pointed me to note 740417.1. It states:

The Metadata Repository Creation Assistant (MRCA) 10.1.4.0.1 is incompatible with Database 11.1.0.6. Therefore, customers should ensure that the Metadata Repository for Oracle Internet Directory is created on a previous version of the Oracle Database and then upgrade the version to 11.1.0.6.

The high level steps are:

a) Install a separate 10.2 Database Server
b) Run MRCA 10.1.4.0.1
c) Install Identity Management 10g 10.1.4.0.1
d) Apply 10.1.4.2 or newer Patchset
e) Upgrade 10.2 to 11.1 following the Oracle Database Upgrade Guide

Did you install directly to 11.1?

This has to be one of the worst Oracle products to install and this is coming from someone who has installed a lot of them.

Dave said...

Are you talking about the 10g SSO repository creation utility? If so, take a look at:

http://download.oracle.com/docs/cd/E14571_01/install.1111/e12002/sso_das002.htm

If you are installing Oracle Single Sign-On and Oracle Delegated Administration Services against a Release 11.x database, you must apply Patch 5649850 for release 10.1.0.5 to the Oracle Single Sign-On ORACLE_HOME directory. Patch 5649850 updates the 10.1.0.5 JDBC driver, allowing connectivity to a Release 11.x database. If you are unable to apply this patch due to a prerequisite failure, apply Patch 6880880 for release 1 before applying patch 5649850.

SSO has to be at 10.1.4.3:

Upgrade Oracle Single Sign-On and Oracle Delegated Administration Services to Release 10g (10.1.4.3.0) by applying the Oracle Identity Management 10g (10.1.4.3.0)

Anonymous said...

I had this error:-
$ /home/oracle/Oracle/Middleware/Oracle_IDM1/perl/bin/perl /home/oracle/Oracle/Middleware/Oracle_IDM1/ldap/bin/inspre11.pl host.benar.com 3131 -ssl oid1 host.benar.com:1521:orcl.benar.com Pa$$w0rd Pa$$w0rd -op1

ldap_bind: Invalid credentials

ldap_bind: Invalid credentials

Verify that the OID Component name is correct
Enable anonymous bind using ldapmodify tool or Oracle Directory Services Manager tool
Disable entry cache using ldapmodify tool or Oracle Directory Services Manager tool
Use RepCA to load SSO and other schemas against DB before running -op2

my specifications:-
1- OEL 5.5 x86-64
2- DB 11g R2
3- WebLogic 10.3.3
4- Identity Management 11.1.1.2.0

any help please ?

Anonymous said...

ERROR - Unable to connect to the database. See the log file for details. Check that you have provided the proper service name for the database, that the database is running, the database connection information is valid, and that the database is set up for password file authentication. For more information, click the Help button.:ORA-06550: line 1, column 7:
PLS-00201: identifier 'DBMS_IAS_VERSION.SET_COMPONENT_LOADING' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored

ANY HELP ?

Anonymous said...

hi,
thanks for sharing
i am stuck at installation of SSO
i looked everywhere but just cant find Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1)
i completed task untill that part but i cant go forward if anybody can tell me how to reach that file that would be great

Rizwan Arshad said...

I was getting linking issues during the MRCA 10.1.4.3.1 installation on OEL 5.5 x86_64 and the following worked for me (taken from MOS note 377359.1):

1. Remove any existing MRCA installation.

2. Backup gcc: mv /usr/bin/gcc /usr/bin/gcc.save

3. Create a text file /usr/bin/gcc with the following content:

/usr/bin/gcc.save -m32 $*

4. chmod ugo+x /usr/bin/gcc

5. Verify gcc and gcc.save files

/usr/bin/gcc.save - This is the original binary
/usr/bin/gcc - This is a text file containing one line

6. Install the MRCA software - optionally use patch 7391245 to start the installer

7. After installation, restore the original gcc binary

cp /usr/bin/gcc.save /usr/bin/gcc

Anonymous said...

Hi

Thanks for the post, it's been very useful for my 11 setup.

I am trying to install 11g FMW on RHEL 6 x86-64 OS.

All the installation works fine except the SSO 11.1.4.0.1, there is no specific download for x86-64 so I had to use x86 32 bit SSO 10.1.4.0.1 software (as_linux_x86_oim_oif_101401)
Installation goes fine till the configuration, while at configuration, after 7-8 components it fails at mod_sso configuration with below error.

Thu Jul 14 17:03:21 GMT+05:30 2011 Creating sso partner
Thu Jul 14 17:03:21 GMT+05:30 2011 Exception while accessing database: java.sql.SQLException: ORA-06510: PL/SQL: unhandled user-defined exception+
ORA-06512: at "ORASSO.WWSSO_API_PRIVATE", line 154
ORA-01403: no data found
ORA-06512: at line 1

java.sql.SQLException: ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSSO_API_PRIVATE", line 154
ORA-01403: no data found
ORA-06512: at line 1
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:125)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:316)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:282)

Where exactly (O.S) did you install your SSO? was it on 32-bit?

Any help is appritiated.

- Tammy

Ronald Trout said...

I have install everything and it appears to have installed with out any errors or issues, but when I try the http://appserv:7777/oiddas/ test it fails. The IE shows the generic 500 Internal Server Error.

Any pointers at what to look at would be greatly appreciate.

Thanks,
Ron

Ronald Trout said...

I have install everything and it appears to have installed with out any errors or issues, but when I try the http://appserv:7777/oiddas/ test it fails. The IE shows the generic 500 Internal Server Error.

Any pointers at what to look at would be greatly appreciate.

Anonymous said...

Hi,

I need to reinstall a new env using exactly this procedure. I have done so before. But now I am no longer able to find the MRCA or RepCA that is need here (it must be MRCA 10.1.4.3.1). Also at Oracle's websites it can no longer be found. I was wondering if you still have it? And for which platform. If you do could we try to find a way that you can send it to me or that I download it from your side?

Thanks,
Torsten (my email is: torsten@pt.lu)

Sridevi Koduru said...

Regards
Sridevi Koduru (Senior Oracle Apps Trainer Oracleappstechnical.com)
LinkedIn profile - https://in.linkedin.com/in/sridevi-koduru-9b876a8b
Please Contact for One to One Online Training on Oracle Apps Technical, Financials, SCM, Oracle Manufacturing, OAF, ADF, SQL, PL/SQL, D2K at sridevikoduru@oracleappstechnical.com | +91 - 9581017828.

Elie Fabs said...

Just awesome topic! I was searching for the same form some time ago and found a great service with a huge forms library. BTW, if anyone needs to fill out a a form, I found a blank fillable form here http://pdf.ac/3bOcSg